Our workspace structure is multitiered, as I suspect most are. Is there a way to assign ACLS at one level of a workspace, and have it automatically applied to all sub-tiers? It seems that I need to explicitly add the permissions to all sub-tiers.

The reason for this is that we have some roles that need access to an entire group of objects, and then there are smaller roles that only need access to a subgroup of those objects. The roles that need access to the entire group obviously need access to all the different subgroups.

When I apply the ACLS for the larger role to the entire group, it doesn't seem to get inherited by all subgroups (much in the way that you control ACLs on Windows folders and have the option to inherit parent permissions).

Is this possilble? If it is, what have people found to be the best method to accomplish this?

As you have seen, when you directly change permissions on a group for example, they only affect that object; they are not inherited by any objects within that object.

What I find most admins do is they define and then apply ACL Templates to the top level folders by right-clicking and selecting Update Permissions, and then choosing the appropriate ACL Template. When you perform an Update Permissions on a group, it will recurse into all sub-groups updating the permissions of all objects that are encountered.

The only way you can automate this is by using the BLCLI. You could write a simple script which applies ACL Templates to specific folders on a regular basis so that you don't have to do this manually all the time.

The only "gotcha" you need to look out for are nested Smart Groups. Consider this scenario:

- Someone creates a Smart Group in a sub-folder called "All Objects" containing all objects they have read access against.

- You apply your ACL Template at a top level group to recursively update the permissions of all objects within that group

- The Update Permissions gets to the Smart Group and updates the permissions of all objects within that smart group, potentially updating objects that you didn't intend to update